Outlook Anywhere fails outside of my network

I'm trying to get Outlook Anywhere set up to work outside of my network, and I'm having some problems. I've used the connectivity tester at https://testconnectivity.microsoft.com, and it's giving me a somewhat vague error. It looks like this:

(Yeah, I know contoso is a placeholder) That 404 error makes me think that IIS isn't configured correctly. But I just did a Set-OutlookAnywhere, which I understand is supposed to go into the IIS configuration to set things. This is what my Get-OutlookAnywhere looks like:

@Captain I am heading in to a very busy weekend (most of them are during the summer, which is why you have not seen me on much on weekends), but what does a tracert look like to that server from outside of the network?

@Captain Next thing next, is the Exchange server open to the public or behind another firewall? And, follow-up question, if you do a dig or nslookup from public DNS servers, does it resolve to the correct address?

Also, Outlook Anywhere works properly inside the network, but not externally? Are you certain that you are using OA inside the network? That seems like an odd use case if so. Or, did you just do it for testing?

mail.contoso.org resolves to the building's IP address. Exchange server is behind a firewall. I opened ports 443 and 80, and they're pointing at the mail server. I can log in to the Outlook Web App and admin controls just fine.

I'm pretty sure we're using Outlook Anywhere inside the network, since email broke for a minute when I changed an OA setting...

Exchange 2013 uses the OA endpoint for any Outlook client, internal or external, so to me a disruption in Outlook access would be expected behavior if you start mucking around with OA.

So, I gather from your previous posts that Outlook is working internally, but not externally. Does Outlook Web App (https://mail.contoso.com/owa in a web browser) work externally? FWIW, there are migration tools that work with OWA access only, so OA isn't necessarily a hard stop for migrating to O365 (I know because my company does hard migrations with one of said tools).

Exchange 2013 uses the OA endpoint for any Outlook client, internal or external, so to me a disruption in Outlook access would be expected behavior if you start mucking around with OA.

Yeah, that's my understanding too. I didn't even "really" change a setting, but the server's identity changed, and all the clients had to trash their profiles. Not ideal, but not totally awful.

So, I gather from your previous posts that Outlook is working internally, but not externally. Does Outlook Web App (https://mail.contoso.com/owa in a web browser) work externally? FWIW, there are migration tools that work with OWA access only, so OA isn't necessarily a hard stop for migrating to O365 (I know because my company does hard migrations with one of said tools).

Yes, OWA works externally. I think. I'll try it from home tonight (but yeah, I'm 95% sure it does).

Is there a budget for migration? If you're open to investigating something, I'd be happy to give you my contact information and put you in touch with one of our sales guys and/or one of my teammates that works with O365 migrations all the time. I'm more in the MSP/server side, so I can't speak to technical details other than "it wurkz gud"

And if you want further help with troubleshooting OA, let me know and I'll be happy to help too. Certainly don't want to just barge in here, drop a business card, and leave

404 Not Found is a code returned by your web server, or by an intermediate device. Have you looked at log files to see if any requests are being made to the OA endpoint, at all?

Are there any intermediate firewalls which might block the request because they don't understand the payload of your request? For example, if you have an old ISA server in your set-up this could block OA because it doesn't understand all the funkyness going on.

I think I actually cracked it. I'm not sure which specific change I made fixed it, but the connectivity tester works, and Exchange 365 is able to reach in and poke around. I will set off a migration tonight, and let email be somebody else's problem and save thousands of dollars on the migration for the kiddos and be a hero.